Microsoft released eight bulletins addressing 13 vulnerabilities in Internet Explorer, Windows operating system, and Office as part of May's Patch Tuesday update. Three of them are already being exploited in the wild, Microsoft said. And if you use XP, you are out in the cold.

Microsoft released eight bulletins addressing 13 vulnerabilities in Internet Explorer, Windows, and Office as part of May's Patch Tuesday update. Three of them are already being exploited in the wild, Microsoft said.

While Microsoft did not release any patches for XP users, experts believe the issues affect the old operating system as well. Microsoft ended support for Windows XP last month, which means users no longer receive security patches for the old operating system. Enterprises who shelled out for extended support contracts will still receive updates.

Fixing IE, Under AttackThe Internet Explorer update (MS14-029) is the highest priority patch this month. It is different from other IE patches because this is not a cumulative patch, which means users must install last month's cumulative IE update (MS14-018) before installing this patch.This month's bulletin includes the out-of-band fix from earlier this month which fixed a zero-day vulnerability (CVE-2014-1776). The bulletin also fixed two memory corruption vulnerabilities (CVE-2014-1815) which could result in remote code execution. Microsoft said there were "limited attacks" attempting to exploit one of the IE bugs.

"It's important to make sure that you apply MS14-018 and MS14-029 if you haven't already applied last month's IE cumulative update," said Tyler Reguly, manager of security research at Tripwire.

Attacks in the WildMicrosoft fixed an escalation privilege flaw in Group Policy Preferences (MS14-025) and said there were already attacks in the wild targeting this bug. A flaw in how Active Directory distributes passwords that are configured using Group Policy preferences could allow attackers to potentially retrieve obfuscated domain account credentials and use them to run privileged processes.

The bulletin addressing an ASLR bypass (MS14-024) actually has an "important" rating, rather than "critical," but should be considered high priority, noted Ross Barrett, senior manager of security engineering at Rapid7. The issue is not really an exploit in and of itself, but is a weakness that can be used in conjunction with other exploits, Barrett said. This bypass has been detected in use in conjunction with other attacks. Attackers are also exploiting a privilege elevation vulnerability in Windows to gain access to the Local System account (MS14-027) in targeted attacks.

"Both fixes are highly recommended and will go a long way to making your setup more robust," said Wolfgang Kandek, CTO of Qualys.

Home Office Users on AlertThe Office patch (MS14-023) was "very interesting" to Tripwire's Tyler Reguly, who noted that he uses Microsoft OneDrive and Office365 Home at home, and the remote code execution flaw would affect how tokens are passed in OneDrive. "I'll need to be hyper-vigilant in monitoring my family's usage of these services until I can get the updates deployed across all of our computers," Reguly said.

XP Users in the ColdMicrosoft ended support for Office 2003 and SharePoint 2003 along with Windows XP last month. The majority of the vulnerabilities addressed in the May Patch Yuesday release "probably" affect Windows XP and Office 2003, said Kandek, who assumed that any vulnerability affecting Windows Server 2003 would likely impact XP. This means the flaws addressed in the patches for Internet Explorer, ALSR, Group Profile, and SharePoint are present in XP or Office 2003.

At least one of the non-critical vulnerabilities fixed in Microsoft Office is likely present in Office 2003. This month's updates fixed three critical vulnerabilities in SharePoint Server versions 2007, 2010 and 2013, Office Web Apps, SharePoint Designer and SharePoint Server 2013 Client Components SDK. Even though Microsoft fixed Internet Explorer for XP in the out-of-band update, it did not release include XP in this month's patch release. The IE flaw currently under attack almost certainly affects Windows XP.

"We've had false starts before, but this time Microsoft really are going to tell the world about security vulnerabilities in Windows and not patch them in XP," wrote security expert Graham Cluely on the Lumension blog. Attackers regularly reverse-engineer patches to find the vulnerabilities, and they will likely be looking to see if the same issues exist on XP. With the release of the patches, the clock is ticking.

"If you're still running Windows XP, it means moving forward with your plan to switch from the operating system to something better at the earliest, safest opportunity," Cluley said. "Whichever version of Windows you are running, do the right thing."

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.